linux

mirror of https://github.com/torvalds/linux synced 2024-10-01 00:39:03 +00:00

History

Andrey Ryabinin 70a2cba972 perf buildid: Fix off-by-one in write_buildid() write_buildid() increments 'name_len' with intention to take into account trailing zero byte. However, 'name_len' was already incremented in machine__write_buildid_table() before. So this leads to out-of-bounds read in do_write(): $ ./perf record sleep 0 [ perf record: Woken up 1 times to write data ] ================================================================= ==15899==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000099fc92 at pc 0x7f1aa9c7eab5 bp 0x7fff940f84d0 sp 0x7fff940f7c78 READ of size 19 at 0x00000099fc92 thread T0 #0 0x7f1aa9c7eab4 (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/libasan.so.2+0x44ab4) #1 0x649c5b in do_write util/header.c:67 #2 0x649c5b in write_padded util/header.c:82 #3 0x57e8bc in write_buildid util/build-id.c:239 #4 0x57e8bc in machine__write_buildid_table util/build-id.c:278 ... 0x00000099fc92 is located 0 bytes to the right of global variable '.LC99' defined in 'util/symbol.c' (0x99fc80) of size 18 '.LC99' is ascii string '[kernel.kallsyms]' ... Shadow bytes around the buggy address: 0x00008012bf80: f9 f9 f9 f9 00 00 00 00 00 00 03 f9 f9 f9 f9 f9 =>0x00008012bf90: 00 00[02]f9 f9 f9 f9 f9 00 00 00 00 00 05 f9 f9 0x00008012bfa0: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Peter Zijlstra <peterz@infradead.org> Link: http://lkml.kernel.org/r/1461053847-5633-1-git-send-email-aryabinin@virtuozzo.com [ Remove the off-by one at the origin, to keep len(s) == strlen(s) assumption ] Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>		2016-04-25 12:49:16 -03:00
..
arch	tools include: Add basic atomic.h implementation from the kernel sources	2015-05-08 16:11:05 -03:00
build	perf probe: Check if dwarf_getlocations() is available	2016-04-06 10:44:28 -03:00
cgroup
firewire
gpio	gpio: present the consumer of a line to userspace	2016-02-25 21:07:23 +01:00
hv	tools/hv: Use include/uapi with __EXPORTED_HEADERS__	2016-02-07 21:34:12 -08:00
iio	iio: generic_buffer: be helpful about enabling channels	2015-08-16 10:51:26 +01:00
include	Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2016-03-24 10:02:14 -07:00
laptop/freefall	Move freefall program from Documentation/ to tools/	2015-06-08 16:42:07 -06:00
lguest	tools/lguest: Clean up include dir	2015-08-26 06:12:35 +02:00
lib	tools/lib/lockdep: Fix unsupported 'basename -s' in run_tests.sh	2016-03-30 12:45:56 +02:00
net	tools, bpf_asm: simplify parser rule for BPF extensions	2016-02-22 13:29:42 -05:00
nfsd
objtool	objtool: Only print one warning per function	2016-03-09 10:48:10 +01:00
perf	perf buildid: Fix off-by-one in write_buildid()	2016-04-25 12:49:16 -03:00
power	Merge branches 'pm-core', 'powercap' and 'pm-tools'	2016-04-08 21:46:56 +02:00
scripts	tools: Move utilities.mak from perf to tools/scripts/	2016-03-18 13:57:20 -03:00
spi	spi: spidev_test: Fix typo in error message	2015-12-08 17:58:56 +00:00
testing	selftest/seccomp: Fix the seccomp(2) signature	2016-03-29 13:01:36 -06:00
thermal/tmon	tools/thermal: tmon: use pkg-config also for CFLAGS	2015-10-10 11:32:31 +08:00
time
usb	usb: patches for v4.4 merge window	2015-10-22 17:19:33 -07:00
virtio	virtio_ring: Support DMA APIs	2016-03-02 17:01:57 +02:00
vm	tools/vm/page-types.c: avoid memset() in walk_pfn() when count == 1	2016-03-17 15:09:34 -07:00
Makefile	Merge branch 'core-objtool-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2016-03-20 18:23:21 -07:00